The long awaited 21st Century Cures Act Final Rule on Interoperability, Information Blocking and the ONC Health IT Certification Program was released March 9th 2020, in conjunction with CMS’s Interoperability and Patient Access final rule (CMS-9115-F). These final rules mark the most extensive healthcare data sharing policies issued by the government to date, with a goal of advancing data sharing among public and private entities, patients and other parties while keeping that information private and secure.
Pivot Point Consulting will be publishing a series of Final Rule Briefs to help executives understand the rules and focus on near-term priorities for their organizations. These Briefs are tailored toward provider organizations and will help ensure their systems, vendor partnerships, policies and procedures and workforce are ready in advance of key deadlines. This first Brief covers information blocking, as a significant portion of the ONC final rule addresses this topic.
What is information blocking and who must comply with the information blocking provisions?
Information blocking is defined as a practice that (1) is likely to interfere with access, exchange, and use of electronic health information (EHI) except as required by law or covered by an exception; and (2) if conducted by a health IT developer, health information network or health information exchange, such developer, network, or exchange knows, or should know, that such practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI; or (3) if conducted by a healthcare provider, such provider knows that such practice is unreasonable and likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
The ONC rule defines EHI as electronic protected health information in a designated record set (per HIPAA regulations) and notes that for the 24 months after publication of the rule, the EHI scope for the purposes of the information blocking is limited to the data elements in the USCDI standard also adopted in the final rule.
Healthcare providers, health information networks or health information exchanges, and health IT developers of certified health IT must comply with the information blocking provisions. The definition of healthcare provider broadly covers hospitals and clinics, and other care settings across the continuum of care.
*Importantly, the rule clarifies providers would not be considered to be interfering with access, exchange or use of EHI (i.e., information blocking) if they are engaging in practices to educate patients about privacy and security risks posed by the apps patients choose to receive their EHI and provide them information to help in their decision making.*
8 Exceptions to Information Blocking
CATEGORY I: Exceptions that involve not fulfilling requests to access, exchange, or use of EHI:
- Practices reasonable and necessary to prevent harm to a patient or another person.
- Protecting an individual’s privacy.
- When interfering with the access, exchange, or use of EHI to protect the security of the EHI.
- Infeasible requests due to legitimate practical challenges, such as technological or legal.
- When taking reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the health IT’s overall performance.
CATEGORY II: Exceptions that involve procedures for fulfilling requests to access, exchange, or
- Limiting content of a response (i.e., scope of the EHI) to a request for access, exchange, use of EHI or manner in which the request if fulfilled. (Note: Using this exception to limit content requires providers at a minimum to provide the data elements identified in the USCDI standard during the first 24 months after the final rule is published and then providers must respond with EHI as defined in the rule).
- Charging fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI. This exception does not permit charging fees for electronic access by an individual, their personal representative, or any person/entity designated by the individual to access the individual’s EHI.
- In cases where the “actor” licenses its interoperability elements for EHI to be accessed, exchanged, or used.
The caveat for each of the 8 exceptions is that providers must meet certain conditions to satisfy an exception.
When must healthcare providers comply with the information blocking provisions?
Providers have 6 months from the date the final rule is published in the Federal Register to understand and implement policies and procedures supporting the eight information blocking exceptions, before they would be subject to any enforcement or disincentives. The effective date of enforcement would not be any earlier than the compliance date and may be later — dependent on the Office of Inspector General (OIG) forthcoming rules on information blocking enforcement.
*The ONC has extended compliance date to April 5, 2021. Read here for more information